Policy Generator

Policy Generator is a simple workflow built into Illumio Core. It pairs with Illumio Core's labeling and policy modeling capabilities to provide an easy-to-use interface for creating segmentation policies. It matches historical connections, the processes these flows communicate with, and workload labels to automatically suggest policies for controlling intra- and inter-application traffic.

Simplify collaboration between application owners and security

Policy Generator allows you to build segmentation policies that protect critical applications. You can assign different teams ownership of different applications using role-based access control (RBAC):

• Application owners can use Policy Generator to review flows and create segmentation policies for individual applications, but they will not have the ability to approve and provision those policies—this is typically the responsibility of another group to ensure a separation of duties. Application owners can create these rules using declarative policies that use labels. Application teams therefore do not need to understand the underlying network infrastructure or keep track of networking constructs, such as IP addresses and VLANs, to create robust policy.
• Security teams can view, test, update, and the policies proposed by application teams.

Define policies with the right level of granularity

Policy Generator provides an easy-to-use interface for selecting the granularity (or level of restrictiveness) of your organization’s segmentation policies. You can define traffic restrictions for workloads at the environment level (least granular), application level, role/tier level, or even by the process/service running on individual workloads (most granular).

Leverage vulnerability information to create risk-based policies

When vulnerability maps are enabled, Policy Generator incorporates vulnerability information and the exposure of each vulnerability, which can be used to prioritize patching. If patching is not an option, Policy Generator will recommend segmentation policies that can be used as a compensating control until a patch is available.